CVE-2021-37402

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via binary data that is mishandled when the legacy dataretrieval endpoint has been enabled.

CVE-2021-26699

OX App Suite before 7.10.3-rev4 and 7.10.4 before 7.10.4-rev4 allows SSRF via a shared SVG document that is mishandled by the imageconverter component when the .png extension is used.

CVE-2021-26698

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and the dl parameter is used.

CVE-2020-15003

OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access).

CVE-2020-15004

OX App Suite through 7.10.3 allows stats/diagnostic?param= XSS.

CVE-2020-8541

OX App Suite through 7.10.3 allows XXE attacks.

CVE-2020-8544

OX App Suite through 7.10.3 allows SSRF.

CVE-2020-8542

OX App Suite through 7.10.3 allows XSS.

CVE-2020-8543

OX App Suite through 7.10.3 has Improper Input Validation.

CVE-2021-37403

OX App Suite before 7.10.3-rev32 and 7.10.4 before 7.10.4-rev18 allows XSS via a code snippet (user-generated content) when a sharing link is created and an App Loader relative URL is used.